Remember Malware Campaign Targeting Chrome Users? Now Encrypts Victim Data with Ransomware


Only a few weeks ago, we shared with our readers a malware campaign that was targeting Chrome users on Windows computers. First spotted in December 2016, the campaign uses the infamous EITest chain that has been used in multiple exploit kits leading to identity theft, ransomware and other kinds of attacks. While earlier, it was only targeting Chrome users with malware, latest research has spotted the same campaign now dropping ransomware, holding user data hostage for ransom.

Fake "Chrome Font" attack is now dropping ransomware

Security researchers at Proofpoint had detailed last month a malware targeting Chrome users on Windows. They shared how the EITest gang first hacks legitimate websites and then add JavaScript code that will cause the page to display a pop up alert. This alert, which asks you to download a Chrome Font Pack, makes the page content unreadable since you can't use the "X" button to close it. This ensures that more users fall for this trap.

AMD presents Ryzen 5000 C-Series series for Chromebooks with up to eight Zen3 cores and 15W TDP levels

Using social engineering tactics, the campaign has experienced some changes lately. Brad Duncan of Palo Alto Networks has reported that the final payload has now been replaced with the Spora ransomware. While the infection mechanism remains same, the campaign now encrypts victim data and demands ransom.

In the earlier version, the campaign was installing a file named Chrome_Font.exe, downloading a trojan called Fleercivet.

Now, the file has been renamed to Update.exe, which is an installer for the Spora Ransomware. Once a user launches this executable, Spora will begin to encrypt victim's data.

There is, however, a good news. The ransomware campaign requires the victim to not only download but also manually execute the file. Since it uses official Google fonts and style, there is a high chance of this campaign tricking unwitting users in installing the executable file. Once you double-click the exe file, consider your data taken.

Currently, there is no way to decrypt the hostage files encrypted by Spora Ransomware for free. But, thanks to researchers actively keeping up to date with the growth of this malware, hopefully, more users are now aware of this ransomware. Again, close any websites that show you a popup saying you need to download or update Chrome Font Pack - only brings bad news.